Malware Analysis Report

2025-08-10 13:17

Sample ID 241109-ejphsazlgl
Target 5c940fd26e0b9ca0041893718bdf14d9244ebcb5a91fee19de13a59c52b59232
SHA256 5c940fd26e0b9ca0041893718bdf14d9244ebcb5a91fee19de13a59c52b59232
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5c940fd26e0b9ca0041893718bdf14d9244ebcb5a91fee19de13a59c52b59232

Threat Level: Known bad

The file 5c940fd26e0b9ca0041893718bdf14d9244ebcb5a91fee19de13a59c52b59232 was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Redline family

Healer

Healer family

RedLine

RedLine payload

Modifies Windows Defender Real-time Protection settings

Loads dropped DLL

Windows security modification

Executes dropped EXE

Adds Run key to start application

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 03:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 03:58

Reported

2024-11-09 04:01

Platform

win7-20240729-en

Max time kernel

142s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5c940fd26e0b9ca0041893718bdf14d9244ebcb5a91fee19de13a59c52b59232.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\104623527.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\104623527.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\104623527.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\104623527.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\104623527.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\104623527.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\104623527.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\104623527.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CO904441.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\5c940fd26e0b9ca0041893718bdf14d9244ebcb5a91fee19de13a59c52b59232.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vz693356.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\104623527.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\262821295.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5c940fd26e0b9ca0041893718bdf14d9244ebcb5a91fee19de13a59c52b59232.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vz693356.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CO904441.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\104623527.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\104623527.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\104623527.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\262821295.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1856 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\5c940fd26e0b9ca0041893718bdf14d9244ebcb5a91fee19de13a59c52b59232.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vz693356.exe
PID 1856 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\5c940fd26e0b9ca0041893718bdf14d9244ebcb5a91fee19de13a59c52b59232.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vz693356.exe
PID 1856 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\5c940fd26e0b9ca0041893718bdf14d9244ebcb5a91fee19de13a59c52b59232.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vz693356.exe
PID 1856 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\5c940fd26e0b9ca0041893718bdf14d9244ebcb5a91fee19de13a59c52b59232.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vz693356.exe
PID 1856 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\5c940fd26e0b9ca0041893718bdf14d9244ebcb5a91fee19de13a59c52b59232.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vz693356.exe
PID 1856 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\5c940fd26e0b9ca0041893718bdf14d9244ebcb5a91fee19de13a59c52b59232.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vz693356.exe
PID 1856 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\5c940fd26e0b9ca0041893718bdf14d9244ebcb5a91fee19de13a59c52b59232.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vz693356.exe
PID 2696 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vz693356.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CO904441.exe
PID 2696 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vz693356.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CO904441.exe
PID 2696 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vz693356.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CO904441.exe
PID 2696 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vz693356.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CO904441.exe
PID 2696 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vz693356.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CO904441.exe
PID 2696 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vz693356.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CO904441.exe
PID 2696 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vz693356.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CO904441.exe
PID 2756 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CO904441.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\104623527.exe
PID 2756 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CO904441.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\104623527.exe
PID 2756 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CO904441.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\104623527.exe
PID 2756 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CO904441.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\104623527.exe
PID 2756 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CO904441.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\104623527.exe
PID 2756 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CO904441.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\104623527.exe
PID 2756 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CO904441.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\104623527.exe
PID 2756 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CO904441.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\262821295.exe
PID 2756 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CO904441.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\262821295.exe
PID 2756 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CO904441.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\262821295.exe
PID 2756 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CO904441.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\262821295.exe
PID 2756 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CO904441.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\262821295.exe
PID 2756 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CO904441.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\262821295.exe
PID 2756 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CO904441.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\262821295.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5c940fd26e0b9ca0041893718bdf14d9244ebcb5a91fee19de13a59c52b59232.exe

"C:\Users\Admin\AppData\Local\Temp\5c940fd26e0b9ca0041893718bdf14d9244ebcb5a91fee19de13a59c52b59232.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vz693356.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vz693356.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CO904441.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CO904441.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\104623527.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\104623527.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\262821295.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\262821295.exe

Network

Country Destination Domain Proto
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp

Files

memory/1856-0-0x00000000002B0000-0x00000000003AD000-memory.dmp

memory/1856-1-0x00000000002B0000-0x00000000003AD000-memory.dmp

memory/1856-2-0x0000000002180000-0x0000000002286000-memory.dmp

memory/1856-5-0x0000000000400000-0x000000000050A000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\vz693356.exe

MD5 2a4818915d389d559319b6d0b46e6371
SHA1 f0667836d0218c5c9a534d09c5a4bcc3b5822946
SHA256 a2e5f18518eb888f934368c392cb1cb82fc65aeb55e0beb65cc2689cf164c1ba
SHA512 7ed2eb6fa3fab840e0ebf4817eb80e79b47378d5c8335606daedf52ebe8188a960ab6187e78b7b8d3db39ec81ae14ceacc6b6c98322722e00c8d7e53005ff524

\Users\Admin\AppData\Local\Temp\IXP001.TMP\CO904441.exe

MD5 e42ab68c8e89e2c9bb9e06acafcab0bc
SHA1 42a79efec24d0282506c345434910a4d1677595f
SHA256 38e071801b0cc528ae2ea5b6b983f2b2fe5aed4812717a5fce4c057aeccbeeeb
SHA512 c8fbc2b534018deedcbe9522afc32e9458e360659a6297854512d6320484214abcdd1a18a1372a5176876b25cbb90f43e723ad13e2d474384f1036cedabaf10d

\Users\Admin\AppData\Local\Temp\IXP002.TMP\104623527.exe

MD5 9b0b29b311fb0309fad8b20f317cba3c
SHA1 b340447340fb8901664b6613c73eb5178d166745
SHA256 dcd3ab62648fe314f3bb31d319343222a6a7af52c9a1083fc0390c04b5de1855
SHA512 2faf667376b251d2a08a3507913d7638f5361804955bf56d86eb92323caed5414f2baa9be39de7a14ad24af45b6d4867c631da71da63d2aceae8f7c313ea52cb

memory/2764-38-0x0000000000CE0000-0x0000000000CFA000-memory.dmp

memory/2764-39-0x0000000002210000-0x0000000002228000-memory.dmp

memory/2764-47-0x0000000002210000-0x0000000002222000-memory.dmp

memory/2764-67-0x0000000002210000-0x0000000002222000-memory.dmp

memory/2764-65-0x0000000002210000-0x0000000002222000-memory.dmp

memory/2764-64-0x0000000002210000-0x0000000002222000-memory.dmp

memory/2764-61-0x0000000002210000-0x0000000002222000-memory.dmp

memory/2764-59-0x0000000002210000-0x0000000002222000-memory.dmp

memory/2764-57-0x0000000002210000-0x0000000002222000-memory.dmp

memory/2764-55-0x0000000002210000-0x0000000002222000-memory.dmp

memory/2764-53-0x0000000002210000-0x0000000002222000-memory.dmp

memory/2764-51-0x0000000002210000-0x0000000002222000-memory.dmp

memory/2764-49-0x0000000002210000-0x0000000002222000-memory.dmp

memory/2764-45-0x0000000002210000-0x0000000002222000-memory.dmp

memory/2764-43-0x0000000002210000-0x0000000002222000-memory.dmp

memory/2764-41-0x0000000002210000-0x0000000002222000-memory.dmp

memory/2764-40-0x0000000002210000-0x0000000002222000-memory.dmp

memory/1856-68-0x00000000002B0000-0x00000000003AD000-memory.dmp

memory/1856-69-0x0000000002180000-0x0000000002286000-memory.dmp

memory/1856-71-0x0000000000400000-0x000000000050A000-memory.dmp

memory/1856-70-0x0000000000400000-0x00000000008E6000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP002.TMP\262821295.exe

MD5 8c4032cf356ab17df014ee7490f00f45
SHA1 141ac17a4f80b44925bc400e94412aa873519cb7
SHA256 613682b8a972bcef479e9d93340d3b98cc89a8e55c8b3a29d12ef8c4ef5aa49b
SHA512 2c62c7cb4b34e3089fdeaef56846e18c8f8f5d12f34f8d58f0a1d7b1f0aefee99f48da9a21d4aca87fe69f0247e75fb1b54bec1b896580ad1bf69760ef7b7e79

memory/2764-73-0x0000000000400000-0x0000000000808000-memory.dmp

memory/2764-72-0x0000000000400000-0x0000000000808000-memory.dmp

memory/2024-84-0x0000000000D40000-0x0000000000D7C000-memory.dmp

memory/2024-85-0x0000000002750000-0x000000000278A000-memory.dmp

memory/2024-86-0x0000000002750000-0x0000000002785000-memory.dmp

memory/2024-87-0x0000000002750000-0x0000000002785000-memory.dmp

memory/2024-89-0x0000000002750000-0x0000000002785000-memory.dmp

memory/2024-91-0x0000000002750000-0x0000000002785000-memory.dmp

memory/2024-93-0x0000000002750000-0x0000000002785000-memory.dmp

memory/2024-95-0x0000000002750000-0x0000000002785000-memory.dmp

memory/2024-97-0x0000000002750000-0x0000000002785000-memory.dmp

memory/2024-99-0x0000000002750000-0x0000000002785000-memory.dmp

memory/2024-101-0x0000000002750000-0x0000000002785000-memory.dmp

memory/2024-103-0x0000000002750000-0x0000000002785000-memory.dmp

memory/2024-105-0x0000000002750000-0x0000000002785000-memory.dmp

memory/2024-107-0x0000000002750000-0x0000000002785000-memory.dmp

memory/2024-109-0x0000000002750000-0x0000000002785000-memory.dmp

memory/2024-111-0x0000000002750000-0x0000000002785000-memory.dmp

memory/2024-113-0x0000000002750000-0x0000000002785000-memory.dmp

memory/2024-115-0x0000000002750000-0x0000000002785000-memory.dmp

memory/2024-117-0x0000000002750000-0x0000000002785000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 03:58

Reported

2024-11-09 04:00

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5c940fd26e0b9ca0041893718bdf14d9244ebcb5a91fee19de13a59c52b59232.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\104623527.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\104623527.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\104623527.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\104623527.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\104623527.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\104623527.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\104623527.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\104623527.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\5c940fd26e0b9ca0041893718bdf14d9244ebcb5a91fee19de13a59c52b59232.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vz693356.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CO904441.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vz693356.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CO904441.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\104623527.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\262821295.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5c940fd26e0b9ca0041893718bdf14d9244ebcb5a91fee19de13a59c52b59232.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\104623527.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\104623527.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\104623527.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\262821295.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4224 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\5c940fd26e0b9ca0041893718bdf14d9244ebcb5a91fee19de13a59c52b59232.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vz693356.exe
PID 4224 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\5c940fd26e0b9ca0041893718bdf14d9244ebcb5a91fee19de13a59c52b59232.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vz693356.exe
PID 4224 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\5c940fd26e0b9ca0041893718bdf14d9244ebcb5a91fee19de13a59c52b59232.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vz693356.exe
PID 4944 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vz693356.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CO904441.exe
PID 4944 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vz693356.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CO904441.exe
PID 4944 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vz693356.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CO904441.exe
PID 264 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CO904441.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\104623527.exe
PID 264 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CO904441.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\104623527.exe
PID 264 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CO904441.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\104623527.exe
PID 264 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CO904441.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\262821295.exe
PID 264 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CO904441.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\262821295.exe
PID 264 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CO904441.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\262821295.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5c940fd26e0b9ca0041893718bdf14d9244ebcb5a91fee19de13a59c52b59232.exe

"C:\Users\Admin\AppData\Local\Temp\5c940fd26e0b9ca0041893718bdf14d9244ebcb5a91fee19de13a59c52b59232.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vz693356.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vz693356.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CO904441.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CO904441.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\104623527.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\104623527.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3804 -ip 3804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 1100

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\262821295.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\262821295.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp

Files

memory/4224-2-0x0000000002840000-0x0000000002946000-memory.dmp

memory/4224-1-0x0000000002720000-0x0000000002825000-memory.dmp

memory/4224-3-0x0000000000400000-0x000000000050A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vz693356.exe

MD5 2a4818915d389d559319b6d0b46e6371
SHA1 f0667836d0218c5c9a534d09c5a4bcc3b5822946
SHA256 a2e5f18518eb888f934368c392cb1cb82fc65aeb55e0beb65cc2689cf164c1ba
SHA512 7ed2eb6fa3fab840e0ebf4817eb80e79b47378d5c8335606daedf52ebe8188a960ab6187e78b7b8d3db39ec81ae14ceacc6b6c98322722e00c8d7e53005ff524

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CO904441.exe

MD5 e42ab68c8e89e2c9bb9e06acafcab0bc
SHA1 42a79efec24d0282506c345434910a4d1677595f
SHA256 38e071801b0cc528ae2ea5b6b983f2b2fe5aed4812717a5fce4c057aeccbeeeb
SHA512 c8fbc2b534018deedcbe9522afc32e9458e360659a6297854512d6320484214abcdd1a18a1372a5176876b25cbb90f43e723ad13e2d474384f1036cedabaf10d

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\104623527.exe

MD5 9b0b29b311fb0309fad8b20f317cba3c
SHA1 b340447340fb8901664b6613c73eb5178d166745
SHA256 dcd3ab62648fe314f3bb31d319343222a6a7af52c9a1083fc0390c04b5de1855
SHA512 2faf667376b251d2a08a3507913d7638f5361804955bf56d86eb92323caed5414f2baa9be39de7a14ad24af45b6d4867c631da71da63d2aceae8f7c313ea52cb

memory/3804-26-0x0000000000400000-0x0000000000808000-memory.dmp

memory/3804-27-0x0000000000400000-0x0000000000808000-memory.dmp

memory/3804-28-0x0000000002750000-0x000000000276A000-memory.dmp

memory/3804-29-0x0000000004FA0000-0x0000000005544000-memory.dmp

memory/3804-30-0x0000000002860000-0x0000000002878000-memory.dmp

memory/3804-54-0x0000000002860000-0x0000000002872000-memory.dmp

memory/3804-58-0x0000000002860000-0x0000000002872000-memory.dmp

memory/3804-56-0x0000000002860000-0x0000000002872000-memory.dmp

memory/3804-52-0x0000000002860000-0x0000000002872000-memory.dmp

memory/3804-50-0x0000000002860000-0x0000000002872000-memory.dmp

memory/3804-48-0x0000000002860000-0x0000000002872000-memory.dmp

memory/3804-44-0x0000000002860000-0x0000000002872000-memory.dmp

memory/3804-42-0x0000000002860000-0x0000000002872000-memory.dmp

memory/3804-40-0x0000000002860000-0x0000000002872000-memory.dmp

memory/3804-38-0x0000000002860000-0x0000000002872000-memory.dmp

memory/3804-34-0x0000000002860000-0x0000000002872000-memory.dmp

memory/3804-32-0x0000000002860000-0x0000000002872000-memory.dmp

memory/3804-31-0x0000000002860000-0x0000000002872000-memory.dmp

memory/3804-46-0x0000000002860000-0x0000000002872000-memory.dmp

memory/3804-36-0x0000000002860000-0x0000000002872000-memory.dmp

memory/4224-59-0x0000000002720000-0x0000000002825000-memory.dmp

memory/4224-60-0x0000000002840000-0x0000000002946000-memory.dmp

memory/4224-62-0x0000000000400000-0x000000000050A000-memory.dmp

memory/4224-61-0x0000000000400000-0x00000000008E6000-memory.dmp

memory/3804-65-0x0000000000400000-0x0000000000808000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\262821295.exe

MD5 8c4032cf356ab17df014ee7490f00f45
SHA1 141ac17a4f80b44925bc400e94412aa873519cb7
SHA256 613682b8a972bcef479e9d93340d3b98cc89a8e55c8b3a29d12ef8c4ef5aa49b
SHA512 2c62c7cb4b34e3089fdeaef56846e18c8f8f5d12f34f8d58f0a1d7b1f0aefee99f48da9a21d4aca87fe69f0247e75fb1b54bec1b896580ad1bf69760ef7b7e79

memory/4892-70-0x00000000028C0000-0x00000000028FC000-memory.dmp

memory/4892-71-0x0000000004DF0000-0x0000000004E2A000-memory.dmp

memory/4892-73-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4892-85-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4892-103-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4892-101-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4892-99-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4892-97-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4892-95-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4892-93-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4892-92-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4892-89-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4892-87-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4892-83-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4892-864-0x0000000007920000-0x0000000007F38000-memory.dmp

memory/4892-81-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4892-79-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4892-77-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4892-75-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4892-72-0x0000000004DF0000-0x0000000004E25000-memory.dmp

memory/4892-865-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

memory/4892-866-0x0000000007FC0000-0x00000000080CA000-memory.dmp

memory/4892-867-0x00000000080E0000-0x000000000811C000-memory.dmp

memory/4892-868-0x00000000027E0000-0x000000000282C000-memory.dmp